Securing yourself online

My blog has been slightly inactive on account of my travels. Here is a little Christmas gift. This article contains points that I have distilled from a presentation that I have made for the same purpose, i.e. educating people about what they can do to make their online lives more secure.

There are a number of things that we can do to keep our valuable data private and available to us when we need it. Here are a bunch of them that I apply in my personal life. They start from the simple and free and go towards the technically complex and paid. Note that I have avoided putting in details on how to do each item as the article is already long. Doing a search on Google (or DuckDuckGo) with the heading should provide you with more details on each item.

Caveat: none of the advice below guarantees your security. If the NSA wants to see what you’re doing, they probably will. Security requires ‘defence in depth’. If one measure is surmountable, it helps to have another measure to back you up. If a malicious entity somehow breaks the security of your VPN, they may be set back by your HTTPS connections; if they sniff/steal your password, they may be set back by your 2FA token. Those of us in the information security industry hope for (and work toward) a future where the layman does not need to have sophisticated IT knowledge in order to secure their lives. Read on!

Backups
Some stuff is too valuable to have only one copy of. In the event that a hard disk fails, you will want to have a backup in another hard disk or on the cloud. Every article that I write is initially typed up on my computer / online storage before it is copied into my website. Additional hard disks for storing large volumes of photos and videos is now cheap.

Password locking & password managers
If your computer connects to the internet, it can be easily accessed remotely and it needs a password. Make it at least 15 characters and do not reuse the same password anywhere else. Read this series of posts aboutpassword management and stop trying to memorise all your passwords. Get a password manager to remember passwords for you. Make your passwords totally random, long, distinct (do not use the same one in two places) and unmemorable. One password for your computer, one for your phone and one for the password manager should be all you need to remember. I have also come across recommendations (there is no consensus) to not use  security questions that allow you to recover your account if you should forget your password. They fill the security question field with gibberish. Security questions to help reset passwords are a weakness that allows people to access accounts without cracking their passwords.

Windows update (and other autoupdates)
This is a critical and fundamental security measure. Ensure that automatic updates are turned on by default for your Windows and other software on your computer. The browsers that you use and MS Office are critical. Java and Flash are notorious for their vulnerabilities and need frequent updates. Any time a vulnerability is found, there is a race between manufacturers trying to push updates to users and malicious actors attempting to exploit the vulnerability. Enabling auto updates keeps you on the safer side of the curve.

Windows firewall
The default firewall on your computer should be enabled. More precisely, do not disable it.

Antivirus
This is something fundamental. It should not give you a sense of security, but having antivirus or antimalware software is a minimum security requirement. Plenty of free and paid antivirus software are available. The fact that you pay for it does not necessarily make it better.

Pirated software and jailbroken devices
Using pirated software is a good way to introduce malware into your computer yourself. The act of jailbreaking a device to give it features that the manufacturers did not intend it to have necessarily requires breaking the security of the device. Avoid doing these things. Get software that is free to use or buy commercial software.

Mobile phones
If your phone allows biometric authentication, enable it and use it. Your secondary authentication mechanism must be a long PIN / password (10+ characters minimum, 14+ optimal). The PIN might be slightly easier to use on account of the bigger size of the buttons. Drawing patterns and 6-digit PINs are easily observed by shoulder surfing and easily broken by technical means. Do not leave the phone where others can physically access it.

Laptops and other portables
These devices should not be left in places where other people can access them. It is possible for someone malicious to fry your computer by plugging something nasty into its USB drive in seconds (see USBKILL) and walk away. It is also possible for someone to gain control of a locked computer, again by sticking something into the USB port, in seconds. The cost of gaining access? A $5 device (see PoisonTap). The previously mentioned advice about HTTPS also helps with the last item.

Encrypt the hard disks of devices (including phones) to protect data from theft in the event that the device is physically taken. Encryption is not a panacea. It is effective if the device is switched off, but it might be possible for a skilled attacker to extract data from a powered – on device.

Connecting to WIFI
Never connect to free insecure WIFI is the general security advice. Some people go further, choosing to always carry their personal WIFI router with them when they travel. Having a VPN connection enabled by defaultmay be a mitigating measure to connect to insecure WIFI (see below).

Email
Avoid clicking on links on opening attachments sent to you by email. This is the easiest way people get hacked – not through fancy technical mumbo-jumbo, but though stuff sent to you by email. Avoid forwarding any email that asks you to forward it.

USB drives
USB is infamous for being fundamentally insecure. At a basic level, never plug in an unknown USB stick into your computer, especially if you find it in the car park or on your desk. This includes iPads and phones that need to be charged – i.e. anything that has a hard disk. Don’t do it as a favour to someone that you do not know (some of us would not do it as a favour to people whom we do know). Disable autorunning of USB devices. You can find a number of articles explaining how to do this for your operating system. Also recollect the two items (USBKill and PoisonTap) mentioned in the section about keeping portable devices physically secure.

Software and apps
In general, install software and apps only from trusted parties. Do not install mobile apps from outside the standard app stores. For mobile phones, be wary of apps that ask for many permissions to function. The newest versions of IOS and Android allow users to give the app permissions only when it actually needs them.

Browser & websites


Any site that you login to must use HTTPS. Do not enter credentials or personal information such as date of birth, credit card information or ID information into a site that has no HTTPS. Add on the HTTPS Everywhere free plugin to your browser to force all sites that have more secure encrypted versions to provide you with the encrypted version of the site. Using HTTPS does not ensure security (it requires a slightly technical and much longer article), but without it one can not expect web browsing security.

Automatically clear your cache when you close the browser. This may be hard to get used to, but it makes it significantly harder for third parties (and first party sites) to track you. This can prevent websites from showing you the inflated prices that they showed you the first time you visited – since they no longer know that you had already visited. Enable the do not track feature. Use an ad blocker to block advertisements. Advertisements are a way for malware to spread through web browsers and to slow down your browsing. The site owner usually has no control over what content is provided to you in advertisements. A year ago, Forbes spread malware to its readers through advertisements.

Use a different browser for stuff like your email and social media that require you to log in and another browser for all other browsing. This can prevent Facebook from knowing that you’re planning a vacation to Iceland and providing you with ads. It can also prevent a malicious site that you happen to be on from reading information that you provide another site.

Control what is on your social media
Periodically check privacy settings on social media to understand how the content that belongs to you is used by companies such as Facebook, LinkedIn and Twitter. Tagging your face on pictures makes it easy for software to identify your face resulting in consequences that may be positive or negative. In general, do not post things on social media that you may regret if someone reads it out of context. It is easy for someone to screenshot your post and paste it elsewhere, minus the context. Avoid giving out information such as your date of birth and family members as this information may be used by your bank or a government to authenticate you. (When was the last time you had to tell someone on the phone your birth date or your mother’s maiden name to convince them that you were you? It can’t have been very long ago.)

Home router
Critical: change the default username and password for the WIFI router. This is typically something like ‘admin’ for username and password. In many cases you can reach the settings page by typing in “192.168.0.1” or “192.168.1.1” into your browser. Change the SSID (i.e. the WIFI name) and if possible disable access point broadcasting. Default SSIDs make it trivial to find the kind of WIFI router and makes it that much easier to attack. I have known wireless printers to be unable to connect if you disable AP broadcasting, so it might not always be possible. Use WPA2-PSK security with a long password for connecting to the WIFI (note that this is different from the router admin password). Periodically update the router software (every half year is a good bet for the layman).

SMS and phone calls
Understand that the providers of your mobile connection have all information about the numbers that you dial and the contents of the SMSs that you send. They can also listen to your calls. If this concerns you, you might want to use encrypted messaging (see ‘different providers’ section) and encrypted calling services. They function in a foolproof manner only when both people use the service and the encryption is end to end, but encrypting content to the service provider gives some amount of privacy as well.

Use a VPN
Virtual private networks (VPNs) are commonly used to create an encrypted remote connection between a person and his office environment when he is not on site. This technology can be used to protect your internet browsing data as well. VPNs can be used to protect your browsing if you need to connect to weakly protected WIFI networks and to mask your location from thisa  parties. VPN software typically require payment, but can be cheap.

Edit 2 (31 Jan 2017): I have removed this recommendation altogether because using the wrong VPN provider can cause greater risk to the user than not using a VPN at all. Too high a proportion of VPNs are implemented insecurely / have a shady business model for this recommendation to stand [research paper].
Edit: VPN caveats: Not all VPNs are created equal. Understand their business model and whether they do actually value your privacy. Obviously, the VPN provider has the ability to read data when it enters and leaves the tunnel (prior to any VPN encryption) unless the traffic is encrypted even before it goes into the VPN (e.g. all your Facebook and Gmail traffic). If the VPN is available for free, ask why. Does their business model depend upon selling user information?

 

Use different providers altogether
Use providers of services who respect your privacy and do not use your information for their own benefit. Try DuckDuckGo for search instead of Google; secure email services instead of Gmail (which reads your mail) or Live mail / Outlook (which can read your mail). If you are still using Yahoo!, please stop now! (right now!) The same goes for messaging tools and VOIP. See the Electronic Frontier Foundation’s (EFF) secure messaging scorecard regarding security and privacy. You may be pleased to know that the most common messaging application, Whatsapp, is quite good at the moment.

The password-reuse attack

There was news very recently about an online storage provider named Carbonite being “breached” through a password reuse attack. What might that be?

It is just as it sounds like: an attacker reusing a password that they already have. This obviously requires no technical skills. One doesn’t have to “hack” in order to do a password reuse attack.

Is this even an attack? How did the attacker gain the password in the first place? There was an actual attack by people who may have had technical skills at one point. They would have tried hacking a popular site or application (a recently publicised example: LinkedIn). They may have gotten the usernames and passwords of a large number of users if they were successful. It appears that Mark Zuckerberg’s Twitter and Pinterest accounts were accessed this way.

Given that they already had this list of credentials, they could proceed to use the username – password combination on other sites. How many people can tell that they do not use the same credentials in at least a few sites?

What can you do to prevent this?

Simple and obvious: use different passwords for different sites. Do not reuse them.

But I can’t remember so many different passwords! 

Of course you can’t. And you shouldn’t try! Use a password manager. I have written a whole bunch of articles about them. Once you start, you can safely give up on remembering a whole bunch of long and complex passwords.

Lessons from Target on password complexity
Choosing your password manager
Passwords ain’t nothing but trouble

Choosing your password manager

I have advocated password managers in a few previous posts. Here are a few considerations when you go about picking one for your own use:

How are your passwords stored?
The technical implementation may be hard for most users to figure out, so you may need to rely on reviews by others. The passwords need to be stored with an encryption algorithm that can only be retrieved using your master password (password to the password manager). Read their documentation explaining how they store passwords to understand. The company / people who own the password manager (if such a group exists) should not be able to retrieve your passwords even if they wanted to. This is Security 101. Convince yourself that this is how it is done before you proceed further with any password manager. Also – do not store passwords in your browser unless you secure them with a master password.

Cloud-based or local software
Are your passwords going to be stored in the cloud (the internet) or will they be stored only in your computer? There are advantages and disadvantages for both. Cloud-based password managers may have the advantage that you can use them on multiple devices: your personal laptop, perhaps your work computer, maybe even your mobile. A password manager installed locally on just one computer allows users access to their passwords only on that computer.

Conversely, a cloud-based password manager is a target for attack from the internet. Criminals will go after it given how valuable the contents are. There is less of that risk if your passwords are only stored on your computer.

2-factor authentication
Pick a software that allows 2-factor authentication. Enable it. Use it. Know what to do in the event that something happens that makes it difficult for you to access your 2nd factor (e.g. loss of a security token or your mobile phone to receive 2FA messages). Each password manager will have different methods of handling this.

Open-source or proprietary
Open-source software is software for which the code is publicly available. Proprietary software code is not. Prevailing security wisdom recommends open-source software. Proprietary software has less eyes looking at it and the odds are higher that someone who does detect vulnerabilities in the software does not wish to reveal it for fear of backlash from the company. Keeping code hidden is not great security practice, but it may be justifiable as a business practice. Some people may be willing to sacrifice some features if that is what it takes to use open-source software. Some will find the features to be worth the risk of ‘trusting’ a business. All other things being equal, choose an open-source password manager.

Which password manager does the author use?
I will keep that out of this essay in order to keep this article unbiased. Spend some time doing your own research before you ask.

Related posts
Passwords ain’t nothing but trouble
Lessons from Target on password complexity
When is 2FA not 2FA?

Lessons from Target on password complexity

US retailer Target was infamously hacked in 2013, causing the credit card records of tens of millions of customers to be stolen. Target had its systems assessed and came up with some findings which Brian Krebs has just made public. While there are many lessons in this, I want to focus on one item: the passwords.

The Verizon security team was able to crack a large number of Target’s passwords in a week. Observe that most of the listed top 10 passwords were at least 8 characters long, had small letters, capitals, numbers and a special character. Despite the credentials adhering to the password policy, the passwords were successfully cracked.

The lesson: password complexity rules may be outdated. It is quite possible to stick with the letter of the compliance requirement and be quite insecure. Consider using password managers with really long passwords and multi-factor authentication systems. Meanwhile we should look into technologies that move beyond passwords for authentication.

Also see my previous post: Passwords ain’t nothing but trouble

Passwords ain’t nothing but trouble

You may be familiar with the standard script that your IT gives you about password complexity: it must have 8 characters or more, at least one small letter, one capital, one numeric character and one special. If you are in IT, you may have even seen the Dilbert strip above and felt it hit home.

What’s with these requirements? It is the length and complexity of a password that determine how a hacker with very little information about the user can crack the password. The methods are various: For a password with just 6 characters, a “brute-force” attempt can be made using all possible combinations of six characters to match a piece of encrypted text that is known to contain one’s password. If it is longer, “dictionary attacks” are made against known common passwords or actual words as brute force rapidly loses effectiveness. So “Pa$$w0rd” is a bad password, despite it having all the requirements stated in the first line.

The problem here is that the more complex and long the password becomes, the harder it is for the user to remember. This results in the worst problem of all: The password gets written down.

I have come across many posts over the years trying to cover this topic. I recall someone recommending passphrases on the basis that length and not complexity was key to making a password unhackable. Then there is this:

And yet we have missed something crucial. All of the discussion so far was about one password. I now have more than one hundred passwords, about twenty of which I use on a weekly basis. None of these methods are even slightly usable if we have to remember such a large number of passwords.

If we try to memorise, we need to find some patterns with slight variations. If we do lose a couple of these patterns, a person who is interested in getting your information may figure out the pattern. There are some sites that we use that may store passwords very poorly, sometimes even in clear text.

I mostly gave up on memorisation a few months ago and started using a password manager. This comes with its own set of problems. If, for some reason, the password manager is unavailable when one needs to log in, login may be impossible. If someone malicious (or merely mischievous) should get access to one’s unlocked password manager, one can get locked out of all one’s accounts. If the password manager is installed locally on one device, you still need some means of remembering passwords when using other devices. If it stores information that is accessible over the internet it can be used from many devices, but may be more vulnerable to attack.

What can we do? There are people working on that very question. Biometrics is one possibility for the future. We now have mobile phones that unlock upon fingerprint and finger swipe identification and office doors that open using retinal scans. If these technologies gain wide commercial acceptance in various products that we use, they may one day allow us to log in to websites and applications as well. People have currently proven many of these technologies to be theoretically hackable, but the products will keep improving.

Plenty of smart cards are brought out all the time, but they tend to have one flaw: they can easily be lost / stolen. Technologies are now coming up that require the smart card in addition to a biometric or a simple memorisation option. For the sake of our security and convenience, I hope that passwords get replaced by something better in the next decade or two.

This essay was originally posted at my LinkedIn  page: https://www.linkedin.com/pulse/passwords-aint-nothing-trouble-vijay-luiz